GE Mark VIe, EX2100e, EX2100e

Monitor7.4ICS-CERT ICSA-18-347-04Dec 13, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability in GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e controllers allows an attacker with adjacent network access to the controller-hosted web server to access system data and escalate privileges. The vulnerability affects EX2100e (all versions below 04.09.00C), Mark VIe (versions 03.03.28C through 05.02.04C), EX2100e_Reg (all versions below 04.09.00C), and LS2100e (all versions below 04.09.00C).

What this means

What could happen

An attacker on the same network segment could read sensitive system files from the controller and gain unauthorized access to critical process control equipment, potentially allowing them to modify control logic or system settings. This could disrupt power generation or excitation control operations.

Who's at risk

Energy sector operators running GE power generation and excitation control equipment should prioritize this issue. Specifically, operators of GE Mark VIe turbine control systems, EX2100e excitation controls, EX2100e_Reg regulator modules, and LS2100e load share controllers need to take action. This affects standalone excitation systems and integrated turbine control installations in power plants and generating stations.

How it could be exploited

An attacker must be on the same network segment (adjacent network) as the controller. They would target the controller-hosted web server using a path traversal attack to request system files outside the web server's intended directory. Successful exploitation exposes system data and may grant access to sensitive controller functions.

Prerequisites

Network access to the controller on the same network segment (adjacent network)
Controller-hosted web server must be enabled
No authentication required

Adjacent network access required (not remotely exploitable)Low attack complexityNo authentication requiredAffects critical process control in power generationNo patch available for affected versions

Exploitability

Moderate exploit probability (EPSS 1.8%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

EX2100e: All< 04.09.00CNo fix yet

Mark VIe:≥ 03.03.28C | ≤ 05.02.04CNo fix yet

EX2100e_Reg: All< 04.09.00CNo fix yet

LS2100e: All< 04.09.00CNo fix yet

Remediation & Mitigation

0/7

Do now

0/4

WORKAROUNDDisable the controller-hosted web server if not required for operations

HARDENINGImplement a firewall inside EX2100e excitation panels to segment from other networks and restrict external protocols to only those required for command and control (Modbus); block HTTP and other unnecessary services

HARDENINGLimit network availability of controllers to only critical needs; implement tight firewall restrictions at the network boundary

WORKAROUNDDisable unnecessary network functions or enable only on an as-needed basis

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to the latest firmware version available in the current ControlST release (GE recommends users contact GE Power via the GE Power ServiceNow portal)

Long-term hardening

0/2

HARDENINGMaintain strict physical access control to critical controllers

HARDENINGReview and implement the Mark VIe Control Systems Secure Deployment Guide (GEH-6839) for defense-in-depth protections

CVEs (1)

CVE-2018-19003

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/12a5cebf-c699-42d2-a7fd-62d161dcc1ed